Database and cookie-based login system

Hi all,

i am a little bit confused at the moment. I’m trying to build a database and cookie-based login system.

After i experimented a bit and read http://www.yiiframework.com/forum/index.php?/topic/11858-security-implications-with-cwebuser/ i started to build a system like this:

  • Use two cookies:

  • First with encrypted username/userId

  • Second with an information hash which is unique for this user

  • On autoLogin, the username from cookie one is decrypted, and the user information is fetched from database

  • From the user info a hash is build, which is compared to the hash from cookie two.

  • If the hashes are equal, the user is logged in.

Now, as i understood the CWebUser/CUserIdentity concept on login, all information stored as "states" in user identity will be stored in the cookie.

So i tried to see which states are set by default, by using $identity->getPersistentStates(), which returns an empty array.

But when i login the user, all data from my user identity is stored in plain text in the cookie. So i think i don’t get the concept here?!

How can i control what is stored in the cookie on login?

In my scenario, would this only be the encrypted username?

How would i integrate the second cookie?

I appreciate every hint.

Thanks in advance, best regards,

Florian

Yii already taking care for the security of the username… I don’t see the point to hash it at all…

try to get the state via user->id etc. or getState() …

If you take for example the standard demo app, after you create a new webapp, then the username and password are written in plain text to the cookie if you choose ‘remember me’.

In this demo, $identity->getPersistentStates() is an empty array. So i don’t understand, how it is controlled what goes into the cookie.

Anyone?